Quick answer: If anyone in your business uses ChatGPT, Copilot or any other AI tool for work, you need an AI policy. It doesn’t need to be long. One page covering approved tools, what data can never be pasted in, who checks AI output before it goes out, and who to ask when someone is unsure is enough to protect most NZ small businesses.
Someone on your team is already using AI. You probably just don’t know which tool, on which account, with which customer’s details in the prompt.
That’s not a hypothetical. The EMA’s 2026 workforce survey found 83% of NZ SMEs are already using AI, while only 13% have an AI policy in place. That gap is where the trouble lives.
Here’s the good news: writing an AI policy is not a legal project. It’s a one-page conversation with your team, written down. This guide covers what to put in it, what to leave out, and a template you can copy today.

What is an AI policy, actually?
An AI policy is a short internal document that tells your staff what they can and can’t do with AI at work. That’s it.
It’s not a compliance framework. It’s not a risk register. For a business with five people, it’s one page that answers four questions: which tools are okay, what information must never go into them, who checks the output, and who do I ask if I’m not sure.
The point isn’t to stop people using AI. It’s to stop them using it badly, on tools you’ve never heard of, with data you’re legally responsible for.
Does a small NZ business really need one?
If you have staff and they touch customer information, yes.
Under the Privacy Act 2020, you are accountable for personal information your business holds, including when an employee pastes it into a chatbot. The Office of the Privacy Commissioner has been clear that using an AI tool doesn’t transfer that responsibility to the AI company. It stays with you. We covered the detail of that in our guide to the NZ Privacy Act and AI.
There’s a second reason that has nothing to do with law. A policy gives your team permission. Right now most staff are quietly using AI and hoping nobody asks. That means nobody shares what’s working, nobody flags what went wrong, and you never see the productivity gains you’re already paying for.
The sole trader exception
If it’s just you, you don’t need a formal policy. You still need the rules, you just don’t need to write them down for anyone else. Decide what you’ll never paste into a chatbot, stick to it, and move on.
What actually goes wrong when there are no rules?
Two things, mostly. Neither is dramatic. Both are expensive.
Shadow AI. Staff use whatever free tool they found on their phone, on a personal account, because the business hasn’t given them anything approved. NZ is unusually exposed here. A 2026 Qualtrics study found only 12% of New Zealand employees use exclusively company-provided AI tools, the lowest rate of any market surveyed, against 20% globally. Enthusiasm is high, approved access is low, so people improvise.
Unchecked output. AI writes confidently and is sometimes wrong. A quote with a made-up figure, a client email citing a policy that doesn’t exist, an invoice reminder addressed to the wrong company. Nobody set a rule that a human reads it first, so nobody did.

What should an AI policy include?
Six sections. That’s the whole thing.
- Approved tools. Name them. “ChatGPT on the business account” is a policy. “Any reputable AI tool” is not.
- What you can use AI for. Drafting, summarising, brainstorming, first-pass emails, research starting points.
- What you can’t use AI for. Final decisions about people, anything that goes to a customer unread, anything you’d be embarrassed to have generated.
- Data rules. The hard line. What must never be typed into an AI tool, ever.
- Human review. Who checks AI output before it leaves the business, and for which types of work.
- Who to ask. One named person. Questions go there, not to Google.
The data rules matter most
If you only write one section, write this one. A workable default for most NZ small businesses: no customer names, contact details, addresses, health information, financial details, bank accounts, IRD numbers, contracts, or anything covered by an NDA goes into a public AI tool. If you need AI to help with a customer email, strip the identifying details out first and put them back in afterwards.
How do you write an AI policy in one afternoon?
- Find out what’s already happening. Ask your team, without consequences attached, which AI tools they use and what for. You’ll be surprised. This is the most useful thirty minutes of the whole exercise.
- Pick your approved tools. One or two, on business accounts, with paid plans where the provider commits not to train on your inputs. If you’re choosing, our ChatGPT vs Claude vs Gemini comparison walks through what each is best at.
- Write your data red lines. Use the list above as a starting point and add anything specific to your industry.
- Decide the review rule. Something like: anything going to a customer, a supplier, or the public gets read by a person first. Internal notes don’t.
- Name the person to ask. Usually you. Say so in the document.
- Read it to the team. Out loud, in a meeting, in ten minutes. A policy nobody has heard of is not a policy.
- Diary a review. Six months. The tools will have changed by then.
A simple AI policy template you can copy
Copy this, change the bracketed bits, and you’re done. It is deliberately plain. If it needs a lawyer to read it, your staff won’t.
[BUSINESS NAME] AI Use Policy
Last updated: [DATE]
1. Why we have this
AI tools can save us real time. They can also leak information and get things wrong. This page keeps us on the right side of both.
2. Tools you may use
You may use [TOOL 1] and [TOOL 2] on the business account. If you want to use something else for work, ask first.
3. What AI is good for here
Drafting emails and documents, summarising long material, brainstorming, rewriting for tone, first-pass research, and turning rough notes into something readable.
4. What AI must not be used for
Final decisions about hiring, pay, or discipline. Anything sent to a customer without a person reading it first. Anything presented as professional advice. Creating content that misrepresents our business.
5. Information that never goes into an AI tool
Customer names and contact details. Addresses. Health information. Financial or bank details. IRD numbers. Contracts and anything under an NDA. Passwords or system credentials. Employee records.
If AI would help with a task involving these, remove the identifying details first.
6. Human review
Anything AI helped produce that goes to a customer, supplier, or the public must be read and approved by a person before it leaves. You are responsible for what you send, not the tool.
7. Be honest about accuracy
AI makes things up confidently. Check any fact, figure, price, date, or name before you rely on it.
8. If you’re not sure
Ask [NAME]. Nobody gets in trouble for asking. People get in trouble for guessing.
9. Review
We’ll review this policy on [DATE, 6 MONTHS OUT].
Where most NZ businesses get this wrong
Here’s our honest take, having watched a lot of small businesses approach this.
The instinct is to ban AI, or to write something so cautious that the practical answer is “don’t”. That feels responsible. It isn’t. It just pushes AI use onto personal phones and personal accounts, where you have no visibility at all. The 12% figure above is what a culture of quiet bans looks like from the outside.
The opposite mistake is downloading a fifteen-page corporate template built for a company with a compliance team, filing it, and never mentioning it again. Nobody reads it. Nothing changes.
The businesses that get this right do something unglamorous: they pick one tool, pay for it, tell everyone the three things they must never paste into it, and get on with the job. The policy is short because the rules are short. If you’re still working out where AI fits in your business at all, start with the NZ Business Owner’s AI Starter Guide before you write a policy about it.
Frequently asked questions
Is an AI policy a legal requirement in New Zealand?
No. There’s no law that says you must have one. But the Privacy Act 2020 does hold you responsible for personal information your staff handle, including in AI tools, so a policy is how you show you took reasonable steps. It’s evidence, not a box to tick.
How long should an AI policy be?
One page for most small businesses. Two if you’re in a regulated industry like health or finance. Anything longer and your team won’t read it, which defeats the point entirely.
Can staff use ChatGPT on their personal account for work?
We’d say no, and your policy should say no. Personal accounts sit outside your control, often train on what’s typed into them, and leave no trail if something goes wrong. If you want people using AI, give them a business account.
What if an employee already pasted customer data into a chatbot?
Don’t panic and don’t punish the first person who tells you. Find out what was shared, check the tool’s data retention settings, delete the chat history where you can, and assess whether it meets the threshold of a notifiable privacy breach under the Privacy Act. Then write the policy so it doesn’t happen twice.
Do I need to tell customers we use AI?
Sometimes. If AI is making or materially influencing a decision about someone, or handling their personal information, transparency is the expectation the Privacy Commissioner has set. Using AI to tidy up the grammar in a newsletter is different from using it to screen job applicants.
How often should we update the policy?
Every six months, or whenever you add a new tool. AI moves fast enough that a policy written a year ago probably names tools you no longer use and misses ones you do.
Want the rules and the systems sorted properly?
A policy tells your team what not to do. The bigger win is giving them AI tools and automations that are safe by design, so the risky workaround never looks tempting in the first place. That’s what we build for NZ businesses.
See how Overcomers AI can set up safe, useful AI systems for your business.

Leave a Reply